>telegram is the safest encrypted messaging app. Period, full stop.
Yes, let's see
* Not end-to-end encrypted by default
* No end-to-end encrypted groups
* No end-to-end encryption on any desktop client by the vendor, forcing cross-platform users to drop secret chats. This includes 81% of working age people who sit on their computer during work day, and 100% of college students and IT workers.
* No post-quantum key exchange
* No future secrecy
* No per-message forward secrecy
* Bullshit claims about distributed keys https://security.stackexchange.com/questions/238562/how-does...
* Lacks ALL metadata protection from server like phone number, IP-address and thus geolocation, contact list, group memberships, quantity and schedule of communication, data types. In fact --
* Secret chats leak additional metadata about intent to hide content from TG as the vendor.
Also,
History of poor encryption implementation
* 2013: A cracking contest https://news.ycombinator.com/item?id=6932648
* 2013: Telegram, AKA "Stand back, we have Math PhDs!" http://unhandledexpression.com:8081/crypto/general/security/...
* 2015: IND-CCA issues https://eprint.iacr.org/2015/1177.pdf,
* 2015 64-bit complexity MITM attack https://web.archive.org/web/20160425091011/http://www.alexra...
* 2021 Valsorda "The Most Backdoor-Looking Bug I've Ever Seen" https://words.filippo.io/telegram-ecdh/,
* 2021 https://mtpsym.github.io/ and https://mtpsym.github.io/paper.pdf
Some analysis:
* 2025 Matthew Green analysis https://blog.cryptographyengineering.com/2024/08/25/telegram...
* 2025 "Telegram is indistinguishable from an FSB honeypot" https://rys.io/en/179.html
Also,
They employ volunteering sockpuppets https://tsf.telegram.org/
Durov who supposedly lives in exile has visited Russia over 50 times https://eutoday.net/pavel-durovs-secret-visits-to-russia/
I can't scream "drop & run" loud enough.
Telegram has nothing to do with Russia, other than having a Russian founder, and the Ukrainian military has literally relied upon it in the past, along with many Ukrainian civic services. You people are just racist towards Russians and need help.
Based on the analysis of packet captures above, I believe it is clear that anyone who has sufficient visibility into Telegram’s traffic would be able to identify and track traffic of specific user devices. Including when perfect forward secrecy protocol feature is in use.
This would also allow, through some additional analysis based on timing and packet sizes, to potentially identify who is communicating with whom using Telegram.
I love how the author of your honeypot blog post has nothing concrete other than potential attack vectors and is like "Well this is obviously a Russian honeypot" with no evidence what so ever other than a claim that there are plain text device identifiers, which is something the FSB would do. [insert clown emoji]. You can do similar attacks on signal and whatsapp.. Why is it that the Russian one bothers you so much?